Hi, Christian!
I've found a post about this problem here.
http://stackoverflow.com/questions/26592821/configure-authentication-for-servlets-in-osgi
<http://stackoverflow.com/questions/26592821/configure-authentication-for-servlets-in-osgi>
Achim answered here, that the only way to authenticate in Servlets,
registered by OSGi way (whiteboard in our case), is to use specific
HttpContext with Servlet.
I tried to use AuthHttpContext from Pax Web Samples with modified method for
JAAS Login:
protected boolean authenticated(HttpServletRequest request) {
request.setAttribute(AUTHENTICATION_TYPE,
HttpServletRequest.BASIC_AUTH);
try {
LoginContext lc = new LoginContext(realm,
new BasicAuthCallbackHandler(
request.getHeader("Authorization")));
lc.login();
Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
@Override
public Void run() {
return null;
}
});
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
System.out.println(subject == null);
request.setAttribute(REMOTE_USER, "test");
return true;
} catch (LoginException e) {
return false;
}
}
There's a mock PrivilegedAction, doing notihng.
But subject is null again in AccessController.getContext() even after
Subject.doAs().
What's the problem can be?
Thanks in advance!
Pavel
cschneider wrote
> A JAAS login is not enough. You also need to call subject.doAs(handler);
> Inside this call the AccessControlContext will then contain your subject.
>
> For web there should be a better way to establish a JAAS context. Maybe
> you can make pax web or jetty check the authentication and
> already establish a JAAS context for you. I forwarded to Achim. He might
> know if that works.
>
> Christian
-----
Pavel
--
View this message in context:
http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4041072.html
Sent from the Karaf - User mailing list archive at Nabble.com.
